Why

The project is distributed through GitHub Releases and the official website, but Windows Authenticode signing is still pending and Linux artifacts are currently unsigned.
Winget is also an official Windows installation path.

The documentation should be explicit about:

• which platforms are signed
• which platforms are not signed yet
• which download and installation locations are official
• how users can verify files during the unsigned period

This reduces the risk of users trusting fake download sites or modified installers.

Scope

Update documentation in this repository.

Suggested files:

• README.md
• docs/README.ja.md
• CODE_SIGNING_POLICY.md
• A new docs/download-verification.md
• A new docs/download-verification.ja.md, if Japanese docs are maintained separately

Tasks

• Rewrite the opening of CODE_SIGNING_POLICY.md so it does not imply that all release artifacts are currently signed.
• Clearly document the signing status by platform.
• Add a verification guide for users.
• Add a short warning about unofficial third-party distribution sites.
• Add a warning that YouTube description links, file-sharing sites, and password-protected archives are not official distribution channels.
• Document Winget as an official Windows installation path.
• Make Winget the recommended Windows installation path where appropriate.
• Explain that Winget is an installation channel and does not replace Authenticode signing, checksums, or GitHub Artifact Attestations.
• Add checksum verification commands.
• Add GitHub attestation verification commands.
• Add Winget installation and package inspection commands.
• Add macOS signature and notarization verification commands.
• Mention that Windows SmartScreen warnings may appear until Windows code signing and reputation are fully established.

Suggested wording for CODE_SIGNING_POLICY.md

# Code signing and download authenticity policy

HardwareVisualizer publishes release artifacts through GitHub Releases and the official website.
The signing and verification status differs by platform.

## Official distribution and installation locations

Official downloads and installations are available only from:

- GitHub Releases
- https://hardviz.com/
- Winget for Windows, where available

Third-party mirrors, download sites, file-sharing links, and YouTube description links are not official distribution channels.

## Windows

Status: Authenticode code signing is pending.

We are applying to the SignPath Foundation program.
Until Windows code signing is available, verify downloads using:

- GitHub Releases
- SHA-256 checksums
- GitHub Artifact Attestations

Use Winget as the recommended Windows installation path where available:

```powershell
winget install shm11C3.HardwareVisualizer
winget show shm11C3.HardwareVisualizer

Winget is an official installation path, but it is not a replacement for Authenticode signing, SHA-256 checksums, or GitHub Artifact Attestations.

Windows SmartScreen may show a warning while Authenticode signing is pending.

macOS

Status: Signed with Apple Developer ID and notarized by Apple.

Users can verify the application with macOS Gatekeeper and code signing tools.

Linux

Status: Not cryptographically signed yet.

Linux artifacts are published through GitHub Releases.
Until Linux package signing is implemented, verify downloads using:

• GitHub Releases
• SHA-256 checksums
• GitHub Artifact Attestations

Tauri updater signatures

Tauri updater artifacts are signed using the Tauri updater signing mechanism.
These signatures protect the application update path, but they are not a replacement for platform code signing.

## Suggested verification guide

Add a new file:

```text
docs/download-verification.md

It should include:

• Official download and installation locations
• Winget installation guidance for Windows
• SHA-256 verification
• GitHub attestation verification
• macOS signature verification
• Explanation of Windows SmartScreen warnings
• Explanation of Tauri updater signatures
• Warning about unofficial mirrors

Acceptance criteria

• CODE_SIGNING_POLICY.md accurately reflects the current state.
• README links to the signing policy.
• README links to the verification guide.
• Japanese README is updated, if maintained.
• Winget is documented as an official Windows installation path.
• Windows pending-signing status is clearly visible.
• Linux unsigned status is clearly visible.
• macOS signed and notarized status is clearly visible.
• Third-party distribution warning is clear and direct.
• Documentation does not imply that Winget replaces platform code signing, checksums, or attestations.
• Verification commands are copy-pasteable.